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In a series of recent papers, Hirota and Yuen claim to have identified a fundamental flaw in the 
theory underlying quantum cryptography, which would invalidate existing security proofs. In this 
short note, we sketch their argument and show that their conclusion is unjustified — it originates 
from a confusion between necessary and sufficient criteria for secrecy. 
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The purpose of this note is to refute a critique by Hi- 
rota [3 and Yuen concerning a basic criterion for 
secrecy [l(| Hl| , which is widely used in quantum cryp- 
tography and, in particular, serves as a basis for modern 
security proofs of Quantum Key Distribution (QKD). We 
first explain this criterion and then describe Hirota and 
Yuen's critique as well as the error in their argument. 

Secrecy in quantum cryptography. Realistic 
cryptographic keys (e.g., those obtained by QKD) are 
usually not perfectly secret. Rather, their secrecy is 
quantified by a parameter, e > 0, which bounds the maxi- 
mum tolerated deviation from an ideal key, i.e., a key that 
is perfectly uniformly distributed and independent of any 
information held by a potential adversary. Formally, a 
key S is said to be e-secret if the maximum advantage 
for distinguishing S from an ideal key is at most e [13j |. 
This definition guarantees that, in any application that 
is secure when using an ideal key (such as one-time-pad 
encryption), one may also use an e-secret key instead, 
with e corresponding to the failure probability caused by 
this replacement [14j. The notion of e-secrecy enables 
modular proofs of security, which is why one also refers 
to it as universally composable (UC) secrecy. 

For the considerations below, we will assume that the 
key S is a bit string of length £ (a typical value is £ = 10 6 ) 
and that e > is a small but strictly positive constant 
(for concreteness, one may set e = 10~ 20 , which is achiev- 
able by QKD and, at the same time, sufficient for all 
practical purposes [la]). 

Most modern quantum cryptographic security proofs, 
in order to establish secrecy of a key S, rely on a math- 
ematical criterion introduced in |10L [llj . The criterion 
is based on the trace distance [Tf|, which we denote by 
d(-, •), and demands that 



d(psE,Ps ® Pe) <£ 



(TD) 



where pse denotes the joint state of the key S and the 
information E held by the adversary, and ps is a com- 
pletely mixed state (corresponding to a uniformly dis- 
tributed S). The use of this criterion is justified by the 
following implication [l(J [H| 



Recent scepticism. Hirota [1] and Yuen ar- 
gue that the standard secrecy criterion (jTDI) does not 
actually imply secrecy, i.e., that the above implication is 
wrong (unless the parameter e in (|TD[) is chosen exponen- 
tially small in the key size). For concreteness, we refer in 
the following specifically to the paper by Hirota We 
note, however, that the argument is similar in spirit to 
Yuen's reasoning @-Q and, in fact, based on the latter. 

The critique is built upon an alternative criterion that 
can be used to establish the secrecy of a key S. The cri- 
terion demands that the probability P(S\E) that an ad- 
versary with knowledge E can correctly guess S is small, 
i.e., 



P(S\E) ~ 2" 



(HY) 



where £ is the length of S. It is then argued that this 
criterion is sufficient for secrecy, i.e., 



dHY} 



(UC secrecy) 



(2) 



This implication is correct (if one takes the approxima- 
tion in (|HY[) to mean that the relative error between the 
left and right hand side of ~ is at most e) [17|. Further- 
more, by explicit examples (p. 5 of [1]), it is shown, again 
correctly, that IIS] 



dHY} 



(3) 



jTD) 



(UC secrecy) 



(1) 



Hirota now seems to argue that ^ and © together 
imply that ([1]) is wrong. This conclusion is, however, 
logically wrong. It would only hold if the implication 
in ((2J went in the other direction, i.e., if fHY} was not 
only a sufficient, but also a necessary criterion for UC 
secrecy. But this is not true, as one can convince oneself 
by a simple example (ljjj . 

We conclude by remarking that the claim of Hirota and 
Yuen, if it would have been valid, would not only shake 
the foundations of quantum cryptography, but have an 
equally drastic impact on classical cryptography, where 
similar secrecy criteria are used [20]. However, as shown 
here, their claim is false. 
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tage for distinguishing S from S. 
[14] More precisely, when using an e-secret key S in an appli- 
cation, the probability of any event (e.g., that an adver- 
sary can correctly guess an encrypted message) is upper 
bounded by p + e, where p is the probability of the same 
event in an ideal scenario, where S is replaced by an ideal 
key. 
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above), it is generally sufficient to choose e smaller than 
the probability of a security breach due to other imperfec- 
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[17] In [l[, this claim is formulated as part of a definition (Def- 
inition 3), which may have contributed to the confusion. 
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and p[Y[l . one may consider the special case where E is 
trivial, i.e., uncorrelated to 5*. In this case, criterion (ITD|) 
corresponds to the requirement that the probabilities of 
S are on average not much larger than 2~ e (the probabil- 
ities of a uniform distribution), whereas criterion (|HY|) 
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bounded by 2~ . 

[19] Let e — 10~ 20 and let 5* be an ideal (perfectly uniform 
and secret) key of length £ = 10 6 . Furthermore, let S be a 
key that is identical to S, except if S is equal to the zero 
string, S — = 00 • ■ • 0, in which case we set 5 = 1 = 
11 • • ■ 1. Hence, by construction, the probability that S 
deviates from the ideal key S is upper bounded by 2 _£ < 
e, i.e., S is UC secret. However, the probability that S = 
1 is twice as large as it should be for a uniform string. 
Hence, an adversary guessing S = 1 would have a success 
probability of 2 • 2~ e , thus violating criterion (IHY|I . 

[20] For example, the definition of randomness extractors — a 
concept widely used in cryptography — is based on a clas- 
sical special case of criterion (|TD[) (with the trace dis- 
tance replaced by its classical analogue, the variational 
or statistical distance); see, e.g., [l2T |. 



